0216_帧中继_ipsec
原创
©著作权归作者所有:来自51CTO博客作者810105851的原创作品,请联系作者获取转载授权,否则将追究法律责任
拓扑图:
配置参数:
R1
access-list
100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list
101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto
isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto
isakmp key 123456 address 1.1.1.2
crypto
isakmp key 123456 address 1.1.1.3
crypto
ipsec transform-set myset esp-3des esp-md5-hmac //注意帧中继也可以配置AH参数!可以测试成功的!
crypto
map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set myset
match address 100
crypto
map mymap 20 ipsec-isakmp
set peer 1.1.1.3
set transform-set myset
match address 101
interface
Serial0/0
ip address 1.1.1.1 255.255.255.0
encapsulation frame-relay IETF
frame-relay
map ip 1.1.1.2 26
frame-relay map ip 1.1.1.3 27
no frame-relay inverse-arp
frame-relay lmi-type ansi
crypto map mymap
ip
route 192.168.2.0 255.255.255.0 1.1.1.2
ip
route 192.168.3.0 255.255.255.0 1.1.1.3
R3
access-list
100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto
isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto
isakmp key 123456 address 1.1.1.1
crypto
ipsec transform-set myset esp-3des esp-md5-hmac
crypto
map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 100
interface
Serial0/0
ip address 1.1.1.2 255.255.255.0
encapsulation frame-relay IETF
frame-relay
map ip 1.1.1.1 36
frame-relay map ip 1.1.1.3 36
no frame-relay inverse-arp
frame-relay lmi-type ansi
crypto map mymap
ip
route 192.168.1.0 255.255.255.0 1.1.1.1
R4
access-list
100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto
isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto
isakmp key 123456 address 1.1.1.1
crypto
ipsec transform-set myset esp-3des esp-md5-hmac
crypto
map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 100
interface
Serial0/0
ip address 1.1.1.3 255.255.255.0
encapsulation frame-relay IETF
frame-relay
map ip 1.1.1.1 37
frame-relay map ip 1.1.1.2 37
no frame-relay inverse-arp
frame-relay lmi-type ansi
crypto map mymap
ip
route 192.168.1.0 255.255.255.0 1.1.1.1
R2
frame-relay
switching
interface
Serial0/0
no ip address
encapsulation frame-relay IETF
serial restart-delay 0
no frame-relay inverse-arp
frame-relay lmi-type ansi
frame-relay intf-type dce
frame-relay route 26 interface Serial0/1 36
frame-relay route 27 interface Serial0/2 37
interface
Serial0/1
no ip address
encapsulation frame-relay IETF
serial restart-delay 0
no frame-relay inverse-arp
frame-relay lmi-type ansi
frame-relay intf-type dce
frame-relay route 36 interface Serial0/0 26
interface
Serial0/2
no ip address
encapsulation frame-relay IETF
serial restart-delay 0
no frame-relay inverse-arp
frame-relay lmi-type ansi
frame-relay intf-type dce
frame-relay route 37 interface Serial0/0 27
测试:
R2:
r2#SH
FRAM ROU
Input
Intf Input Dlci Output Intf Output Dlci Status
Serial0/0 26 Serial0/1 36 active
Serial0/0 27 Serial0/2 37 active
Serial0/1 36 Serial0/0 26 active
Serial0/2 37 Serial0/0 27 active
R1:
r1#SH
CRY IS SA
dst src state conn-id slot
1.1.1.1 1.1.1.2 QM_IDLE 1 0
1.1.1.1 1.1.1.3 QM_IDLE 2 0
R3:
r3#SH
CRY IS SA
dst src state conn-id slot
1.1.1.1 1.1.1.2 QM_IDLE 1 0
R4:
r4#SH
CRY IS SA
dst src state conn-id slot
1.1.1.1 1.1.1.3 QM_IDLE 1 0
VPC:
使用VPC进行测试
VPC1:
总部的内网可以PING通分部1和分部2
VPC2:
分部1可以PING通总部内网
VPC3:
分部2可以PING通总部内网
测试:
r1#sh
cry ip sa
interface:
Serial0/0
Crypto map tag: mymap, local addr. 1.1.1.1
protected vrf:
local
ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts
digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts
verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.
failed: 0
#pkts not decompressed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto
endpt.: 1.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 6DA96143
inbound esp sas:
spi: 0x47E18A8B(1205963403)------>IN对应R3的OUT
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1,
crypto map: mymap
crypto engine type: Software,
engine_id: 1
sa timing: remaining key lifetime
(k/sec): (4561490/2009)
ike_cookies: 4212F6AE 2BE257C8 70AA7619
C7B2C848
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6DA96143(1839817027)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2,
crypto map: mymap
crypto engine type: Software,
engine_id: 1
sa timing: remaining key lifetime
(k/sec): (4561492/2008)
ike_cookies: 4212F6AE 2BE257C8 70AA7619
C7B2C848
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
protected vrf:
local
ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.3.0/255.255.255.0/0/0)
current_peer: 1.1.1.3:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts
digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts
verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.
failed: 0
#pkts not decompressed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote
crypto endpt.: 1.1.1.3
path mtu 1500, media mtu 1500
current outbound spi: 935F895E
inbound esp sas:
spi: 0x189C7927(412907815) ------>IN对应R4的OUT
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2002, flow_id: 3,
crypto map: mymap
crypto engine type: Software,
engine_id: 1
sa timing: remaining key lifetime
(k/sec): (4410147/2372)
ike_cookies: 0304C43A 22E2C670 2D431BA9
28CCCCBE
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x935F895E(2472511838)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2003, flow_id: 4,
crypto map: mymap
crypto engine type: Software,
engine_id: 1
sa timing: remaining key lifetime
(k/sec): (4410149/2372)
ike_cookies: 0304C43A 22E2C670 2D431BA9
28CCCCBE
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
r1#
r3#sh cry ip sa
interface:
Serial0/0
Crypto map tag: mymap, local addr. 1.1.1.2
protected vrf:
local
ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts
digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts
verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.
failed: 0
#pkts not decompressed: 0, #pkts decompress
failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 1.1.1.2, remote
crypto endpt.: 1.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 47E18A8B
inbound esp sas:
spi: 0x6DA96143(1839817027)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1,
crypto map: mymap
crypto engine type: Software,
engine_id: 1
sa timing: remaining key lifetime
(k/sec): (4434742/1960)
ike_cookies: 70AA7619 C7B2C848 4212F6AE
2BE257C8
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x47E18A8B(1205963403) ------>OUT对应R1的IN
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2,
crypto map: mymap
crypto engine type: Software,
engine_id: 1
sa timing: remaining key lifetime
(k/sec): (4434744/1960)
ike_cookies: 70AA7619 C7B2C848 4212F6AE
2BE257C8
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
r3#
r4#sh cry ip sa
interface:
Serial0/0
Crypto map tag: mymap, local addr. 1.1.1.3
protected vrf:
local
ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts
digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts
verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.
failed: 0
#pkts not decompressed: 0, #pkts decompress
failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.3, remote
crypto endpt.: 1.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 189C7927
inbound esp sas:
spi: 0x935F895E(2472511838)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1,
crypto map: mymap
crypto engine type: Software,
engine_id: 1
sa timing: remaining key lifetime
(k/sec): (4549234/2304)
ike_cookies: 2D431BA9 28CCCCBE 0304C43A
22E2C670
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x189C7927(412907815) ------>OUT对应R1的IN
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2,
crypto map: mymap
crypto engine type: Software,
engine_id: 1
sa timing: remaining key lifetime
(k/sec): (4549236/2304)
ike_cookies: 2D431BA9 28CCCCBE 0304C43A
22E2C670
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
r4#
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
IPSEC vpn详解
IPSEC VPN
ci Standard Time -
【帧中继】帧中继基础配置
帧中继的基础原理和配置
原理 帧中继 frame-relay DLCI 反向arp -
帧中继学习之帧中继、帧中继映射的基本配置
了解帧中继的基本原理掌握帧中继的基本配置步骤
职场 CCNP 休闲 帧中继 -
帧中继基本配置和帧中继映射
&n
职场 休闲 帧中继 -
【帧中继】EIGRP如何运行在帧中继网络
EIGRP如何运行在帧中继网络
EIGRP 帧中继